hoakley September 29, 2019 Macs, Technology

Last Week on My Mac: Hollywood’s lessons

Almost a week ago, Variety, a publication not generally known for its coverage of Mac technical issues, reported that a “mysterious data corruption issue” had struck the Mac Pro (Late 2013) computers used in many Los Angeles film and TV editing studios. Further careful investigation by Mr. Macintosh, Avid, Google and others revealed that what had happened was an unusual combination of circumstances.

For your Mac to be vulnerable to this severely debilitating problem, it had to:

have SIP disabled (or be running OS X 10.10.x or earlier, which don’t have SIP), and
have Google’s Keystone updater software, used to autoupdate Google Chrome, try to apply a new update, which has since been pulled.

Google’s rogue Keystone update erroneously attempted to remove the /var symbolic link on the startup volume. As that’s normally protected by SIP, if your Mac was running with SIP enabled, it couldn’t do that, and no harm was done. However, many of the affected Macs were running with SIP disabled, apparently to enable support for third-party video cards. As the Keystone updater also cast aside the last protection on that symbolic link by running as root, it was able to delete that vital link. Without the /var symbolic link, the affected Mac is unable to boot normally.

In case you know anyone who’s still affected by this, a complete set of solutions is available here.

As is so often the case, there are lessons for all of us from this unusual problem.

System Integrity Protection is intended to do exactly what its name declares: protect the integrity of macOS. If for any overriding reason you need to run a Mac with SIP turned off, or not fully on (there are degrees which are controlled in Recovery Mode), then that Mac must be treated as very special. Exposing a Mac with SIP disabled to the slings and arrows of the Internet isn’t something that you should ever choose to do. If the only way that you can use a particular video card or other hardware/software is by turning SIP off, then you shouldn’t think of risking that Mac in general use.

By far the best strategy for macOS security involves, at its centre, keeping SIP enabled fully and at all times. Above all else, this prevents inadvertent modifications being made to your system, regardless of how well protected you might feel that Mac is from malware.

Running old and unsupported versions of macOS which lack protections like SIP is also not something to do without a great deal of care. If it is necessary to be able to use essential hardware or software, then again that Mac must be treated as very special. Once Apple stops providing security updates for a version of macOS, it accumulates a list of known vulnerabilities and is ripe for exploitation by malware. Here, without even the protection afforded by SIP, Yosemite and earlier shouldn’t be exposed to the risks of the Internet, regardless of the browser that’s being used.

We tend to assume that, just because an old version of macOS was fairly safe when Apple stopped providing security updates for it, then that’s the way it remains. That might be true if it contained no vulnerabilities, but not only is that a false assumption, but its vulnerabilities become even better known.

This is also a good illustration of how automatic updating can be dangerous. In a studio full of Macs, it’s a wise plan to update one test system first, and verify that isn’t adversely affected as a result. Had that been observed here, the bug should have become manifest on that test system alone, and others not updated until the bug was fixed.

That Google should have released an auto-update, which it knew would be rapidly deployed across millions of Macs, that contained a script or tool which attempted to delete a key symbolic link within macOS, should also be cause for grave concern. To perform this, the script or tool would have to be running as root, and this bug is prime evidence that Google’s update quality assurance was woefully inadequate.

Several wise people have laid part of the blame on SIP, which is a bit like blaming a sprinkler system for causing a fire. This claim is based on the fact that, when tested on a Mac with SIP enabled, the bug wouldn’t have become apparent. Unfortunately, that reasoning is flawed in two respects.

First, no script or tool in an autoupdater should ever attempt to delete such a key symbolic link at the root level of the boot volume. Any code which attempted that should never have cleared review, let alone got into internal testing.

Assuming the terrifying thought that such code was so obfuscated that the bug wasn’t glaringly obvious, when tested with SIP enabled that command or tool should have returned an error during pre-release testing to indicate its failure to delete the symbolic link, because of the intervention of SIP. That error should have been investigated and the bug discovered well before release. An updater which doesn’t handle, record and report its own errors is a succession of disasters waiting to happen. For these reasons, I have now removed Google Chrome and its updater from my Mac.

The plain fact of the matter is that, in this case, SIP did exactly what it’s designed to do: it prevented third-party software from damaging the system. Who could possibly condemn one of macOS’s primary security mechanisms for doing its job as intended?

Furthermore, as has been pointed out, Catalina will do this better, even when users do turn SIP off. Because its system volume will still be mounted read-only, a rogue installer would not only have to run as root, but also mount the system volume for writing. Roll on Catalina.

15Comments

Add yours

1

Coco on September 29, 2019 at 10:01 am

This bug has almost nothing to do with macOS itself but puts in the light 3 very important facts: 1) SIP does serve its purpose, as least it dit in the present case, and putting the blame on SIP is absolutely delusional–shame on the otherwise very smart people who did so ; 2) the fact that something of this magnitude was successfully hidden in Google’s updater, intentionally or not, and was actually released, sparks concern. Who knows what else such an updater might contain ; 3) unpatched, unprotected systems with a 5+ year-old OS are widespread in industry and they do have access to the Internet, as the use of Chrome emphasized in that case. So yes all the points made in your post are very true and concerning!

LikeLiked by 1 person
- 2
  
  hoakley on September 29, 2019 at 5:44 pm
  
  Thank you.
  We’ve had a long discussion on Twitter today, and opinions differ over the balance of blame, and how significant it is that, in order to be able to do this, Google’s updater must have obtained the user’s authentication in order to run as root. That said, there’s no doubt that SIP did its job, and however much of a pain it may be for developers, it has once again proved its value for the user.
  I think this debate will continue!
  Howard.
  
  LikeLiked by 1 person
3

johannesrexx on September 29, 2019 at 8:58 pm

What IMHO has not been addressed is exactly why people disabled SIP in the first place. It seems it was done to support a vendor’s video card. Doesn’t that mean that some vendor’s driver wasn’t properly signed so disabling SIP was necessary? Then the question becomes why was the driver not signed? Was the vendor unable to get it signed by Apple, in which case the blame is on Apple. Was the vendor unwilling to get their driver signed, in which case the vendor is to blame?

A few years back I recall a nifty little macOS dock customizer called Cdock came out. It stopped working when El Capitan got SIP. IIRC Cdock required the user to install it with SIP disabled, then turn it back on again. I refused to do that being appropriately paranoid about the matter of disabling SIP for any reason.

LikeLiked by 1 person
- 4
  
  hoakley on September 29, 2019 at 9:17 pm
  
  Thanks.
  I’m less concerned at blamestorming here than trying to learn lessons for all users.
  Getting accurate facts is also difficult. From what I have read, the need for SIP to be disabled is because of problems getting the video card drivers signed. No doubt the card developers blame Apple, and Apple would respond that it’s their problem. Meanwhile the users are caught in the middle, with an old model of Mac Pro which should have been replaced years ago, which might in turn have made it easier for their video cards to be supported by properly-signed drivers. So there’s plenty of fingers to point, and plenty of reasons to point them.
  But no matter what happened there, knowing that these systems have SIP disabled, it seems crazy to install a web browser, which could only be used for general browsing on the Internet. They’re lucky this was a bug rather than malware which caught them out.
  Maybe with shiny new Mac Pros and Catalina it will all be different?
  Howard.
  
  LikeLike
5

alvarnell on September 30, 2019 at 4:11 am

[quote]In a studio full of Macs, it’s a wise plan to update one test system first, and verify that isn’t adversely affected as a result. Had that been observed here, the bug should have become manifest on that test system alone, and others not updated until the bug was fixed.[/quote]

I don’t see how we can assume that this was not done. In order for the bug to reveal itself, the test system would have had to have either been running a legacy macOS or have SIP disabled.

LikeLiked by 1 person
- 6
  
  hoakley on September 30, 2019 at 8:04 am
  
  Thank you, Al.
  If your test system is running a standard install of Mojave, and many/most of your production systems are still on Yosemite, then your test isn’t appropriate for the users. I was always told that test systems should be as close as possible to those in production. It’s a pain when you have several contrasting setups in production, as you then need multiple test systems.
  Another principle I was told was that the test system should be the most challenging, that is should depart from ‘normal’ as much as the most ‘abnormal’ production system. So turning SIP off would be prerequisite for a good test system for a studio with Mac Pros running Sierra and SIP turned off.
  In practice, I hear of many setups where only system updates are passed through such testing, and users apply their own app updates without any prior testing or control. I wonder if that may have been the practice here too.
  Howard.
  
  LikeLike
  - 7
    
    alvarnell on September 30, 2019 at 8:58 am
    
    I once helped a developer for a full day of beta testing at an Apple lab that contained every Mac there ever was at the time running all systems that the app was designed to run in. That was probably a couple of decades ago, so I doubt that such a thing exists today. Not sure what that cost the developer (testers were mostly volunteers like me), but suspect it was less than it would have cost to maintain an equivalent suite of Macs. I suspect Google can afford such a Lab, but suspect they don’t bother.
    
    A similar story that I just went through last week was an app from Intel. Installing their latest update of a free tool provided for all Intel platforms resulted in an immediate Kernel Panic caused by their .kext in Mojave. I contacted them and was provided with an updated version to test in less than a day, which worked just fine. Perhaps it was a chip specific issue, but again, apparently never tested on all relevant platforms and OSs.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on September 30, 2019 at 9:07 am
      
      Yes, I remember Apple’s compatibility testing lab, although I never got to use it. As I recall, it was free.
      No – I’m not suggesting that it’s Google who should have such test systems: it’s the studios. If I were managing a studio full of Mac Pros being used for video editing, then not one of them would have any app updates applied until the update had been cleared as being ‘safe’ for those production systems.
      Maybe I’m just a control freak, but when I worked on a corporate network, that was the policy applied across all connected systems, not just for system updates, but for every single app and tool.
      This is hard on developers. I don’t test my free apps on anything more than I have to hand here, and don’t test with SIP turned off, for instance. I don’t think that Google should have needed to do that, if their updater handled errors properly, as the moment SIP refused to let it remove the /var symlink on a SIP-protected system, they should have detected the problem. Unless, of course, they weren’t looking for errors!
      Howard.
      
      LikeLike
    - 9
      
      alvarnell on September 30, 2019 at 9:55 am
      
      Yes, they probably should have seen there were errors, but I’ve all but given up on trying to use the logs to figure out what errors are actually critical app issues. My console window is a steady stream of errors and faults (and similarly with verbose boots that only involve macOS). But clearly the developer should be able to sort out those that are truly vital for stable operation.
      
      LikeLiked by 1 person
10

John on September 30, 2019 at 6:34 am

Keystone has never been a secret. All of Google’s apps rely on it, including Earth as well as Chrome.

When Chrome was first introduced (accompanied by Keystone), the notion of a new, faster browser option was intriguing, but I declined to use it on the principle of not having Google (or any vendor for that matter) automatically perform silent updates in the background with neither notification nor my explcit consent. That is how Keystone has functioned from the beginning.

Putting aside the “complex” relationship that exisits between Nvidia and Apple (which is not alone in that regard), it was ultimately Google’s responsbility to not release a buggy update that damaged basic System structures.

LikeLiked by 1 person
11

Paul on September 30, 2019 at 10:46 am

TBH I don’t trust Google and Chrome as far as I can chuck them. What are they even doing in the system folder at root level. Is this required for a browser application update? Since I rely on this browser for testing websites at work, I have now disabled auto updates (although on my domestic Macs it will be deleted completely – I also don’t like the security / use of data / constantly running system processes). Since Google Chrome doesn’t provide any obvious method of turning auto-updates off, I have updated the Plist file using BBEdit setting the interval to ‘0’. There are several methods described here: https://bit.ly/2Jpq1c2

LikeLiked by 1 person
- 12
  
  hoakley on September 30, 2019 at 11:41 am
  
  Thank you.
  One significant factor here is whether you allow Chrome (or Google updates) to update for all users. A basic install, which only allows updating for one user, doesn’t gain root, and stores its updater folder in the single user’s Home folder.
  However, the updater can also encourage you to enable updates for all users, which is also a popular option for many. Only then can it prompt you to authenticate and give it root privileges, and then could mess with such folders. So you can still have autoupdate running (if you really want), just don’t let it do so for all users.
  Howard.
  
  LikeLike
13

Weekly News Summary for Admins — 2019-10-04 – Cebu Scripts on October 4, 2019 at 6:16 pm

[…] Last Week on My Mac: Hollywood’s lessons – Howard Oakley […]

LikeLike
14

chmaynard on October 4, 2019 at 9:38 pm

I think you meant to say: “Several wise people have laid part of the blame on SIP, which is a bit like blaming a disabled sprinkler system for causing a fire.”

Regarding “Roll on Catalina.”, I won’t be upgrading any time soon. I need iTunes to manage my music library, and the new Music app doesn’t do the job.

[Amended at the author’s request.]

LikeLiked by 1 person
- 15
  
  hoakley on October 4, 2019 at 10:18 pm
  
  Thank you.
  Yes, you would have thought that, but actually the argument goes that, had SIP not been active on the developer’s test systems, then they would have noticed the bug. So their logic runs that Apple shouldn’t implement a security measure which obscures serious bugs like this.
  Hopefully the new Music app will mature (be completed) quickly, allowing you to upgrade soon.
  Howard.
  
  LikeLike